Revisiting IT Fundamentals: Building on the Past for a Secure Future

It feels like basic principles developed over the past two decades in IT standards are being ignored because there is this shiny “cool" new thing called Azure, and it feels like a reminder (or perhaps a rant) is merited.

I spent the early years of my career as a Microsoft Systems Engineer, developing and managing Active Directory based networks for thousands of employees. I think Microsoft Active Directory and its suite of services is, simply put, a genius system that enables productivity and ease of systems management. The work that would've taken us months to complete was done by a couple of policy changes or development through MS systems in minutes. Yes, some would say I was a Microsoft fanboy, despite the fact I also worked with FreeBSD and Network Infrastructure. At the same time, we had to deal with the constant bombardment of patches and updates to our systems that almost always broke something else. We understood the fact that it's a VERY complex system and no way could they ever account for everything despite how hard they tried, so our job was to remediate the impact of these updates.

Because of the complexity of the system, not out of distrust to Microsoft, we knew for a fact the systems could be exploited at any given minute, by today’s standard we were by default in zero-trust mode. When complexity of a system increases, the potential of exploitable bugs also increases tremendously. It's far easier to exploit a system than build one. That is why we also had the responsibility to ensure our Microsoft systems were behind independent systems that acted as a firewall layer. These systems were completely isolated and had no relation to our MS systems. We could've obviously used RADIUS to enable some integration, but for security reasons we opted for a completely isolated layer using entirely different technology. We also used anti-virus systems like Norton and not because they were a perfect system that could absolutely protect us, but rather could help as an additional layer, and even though Microsoft have started creating internal security solutions, a third-party solution provided a better check on systems. This was alongside the plethora of security settings we enabled inside our MS network.

This wasn't complexity for the sake of complexity or job security. Rather it was our job to understand the situation and create the best possible solution that fits our company needs while keeping simplicity in security. At any moment we knew the only place our network could connect to the internet and had the ability to shut it down without causing any major disruptions to our company. We had the disconnect "button" that allowed us to create isolated islands when necessary.

If a new exploit for MS was released, we were able to monitor activity going to our network to analyze for its impact and we were able to filter it out at our network layer far before it reaches our MS layer. We used simple solutions like VPN to allow outside employees to access our internal network resources. We created isolated networks for our public facing services (DMZ) and separate management networks allowing us management access in case of a catastrophic failure (OOB).

It seems that by all of us getting on a single platform that is publicly accessible, we have decided to throw all of that into the recycling bin, put all our eggs in one basket and say what could possibly go wrong? We are sure Microsoft has this even though we just simply made it tremendously easier and more enticing for malicious actors to find exploits. We then started blaming the bad actors for doing bad things rather than re-evaluating our approach to security.

We are collectively impressed by the positive potential of Machine Learning and Artificial Intelligence, yet no one seems to be worried about how AI/ML will make it far easier to identify and execute mass exploitation of systems especially when the targets are as centralized as we are today. The fact is it will be far easier for AI to be used to exploit systems, than add more complexity defending a system.

Businesses have decided to move everything online, where one simply cannot pull the plug in an emergency without causing major service disruption to their employees. Our networks have simply become a communication layer to the cloud, and we’re told that all the security functionalities are embedded in the Azure suite. Well, newsflash— many were also available in MS AD days but that didn't for a minute make us believe that it was a wise choice to rely on a single vendor exclusively or be linearly dependent on any one service provider for security.

We need to stop the blame game, the flailing hands, and saying well, if not Microsoft then what can we do? We knew what we could do, and we always have. Organizations just decided to stop using it, ignored us, and moved on to a new generation of IT professionals exclusively reliant on Third-Party Managed Cloud Solutions. When we were approached with the cloudification frenzy of the company board, we did what we have always done when our organizations refused a request for an urgent systems upgrade, wait until it blows up and be asked to help and do the “I told you so” dance. I think it has been blowing up quite often these days that companies have become desensitized to it, perhaps almost giving up on the situation that there is no solution to the dark situation we are in.

It is not hopeless, not yet... the solutions are out there but they require going back to the fundamentals of IT for answers. They require brave executive actions that take control back and put trust in their IT department bringing back their infrastructure under their management. By no means I do not want to be misunderstood as our systems a decade ago were superior, far from it. We had to develop solutions on the fly and rarely had the time to evaluate properly, but through their imperfections we found relying on multiple vendors offered accountability and resilience. What we built deserves to be built upon, not discarded. That era offered us solid foundations from that I believe we must re-examine our path forward.

We are in the age of Information Technology and that is without a doubt the reality of our times. We are more than ever dependent on our IT infrastructure and its security is paramount to ensure our continued progress forward. The window of asking the tough questions and examining our approach is quickly closing on us with software vendors opting to provide some solutions exclusively through their cloud platforms because of the lack of pushback. It is our duty and responsibility to our society to ensure we are taking not the easiest way forward, but the best way forward. ?